Reverse CAPTCHA: Evaluating LLM Susceptibility to Invisible Unicode Instruction Injection

A test of five LLMs (GPT-5.2, GPT-4o-mini, Claude Opus/Sonnet/Haiku) found they can be manipulated by invisible instructions embedded in zero-width characters and Unicode Tags within normal text. Models with tool access or code execution capabilities may decode and follow these hidden payloads. OpenAI and Anthropic models showed varying vulnerabilities to different encoding schemes, and standard Unicode normalization does not remove these characters. A single prompt hinting at hidden Unicode can trigger extraction.